Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Use unscored severity only in absence of any CVSS baseScore #7530

Merged
merged 1 commit into from
Mar 16, 2025
Merged

fix: Use unscored severity only in absence of any CVSS baseScore #7530

merged 1 commit into from
Mar 16, 2025

Conversation

aikebah
Copy link
Collaborator

@aikebah aikebah commented Mar 15, 2025

fixes #7528

Description of Change

Only use the fabricated high-watermark guestimated CVSSv2 score for breaking the build when there is not any datasource that has published a CVSS basescore for the vulnerability.

Have test cases been added to cover the new functionality?

no

@aikebah
fix: Use unscored severity only in absence of any CVSS baseScore
d81b5f1 
fixes #7528

Only use the fabricated high-watermark guestimated CVSSv2 score for
breaking the build when there is not any datasource that has published
a CVSS basescore for the vulnerability.
@boring-cyborg boring-cyborg bot added ant changes to ant cli changes to the cli core changes to core maven changes to the maven plugin labels Mar 15, 2025
aikebah added a commit to aikebah/dependency-check-gradle that referenced this pull request Mar 15, 2025
@aikebah
fix: Use unscored severity only in absence of any CVSS baseScore and …
9105078 
…add CVSSv4 score evaluation

Counterpart for gradle-plugin of
dependency-check/DependencyCheck#7530

Fixes dependency-check/DependencyCheck#7528 in the gradle plugin
and adds the still missing CVSSv4 score to the threshold evaluations
@aikebah aikebah mentioned this pull request Mar 15, 2025
Merged
jeremylong
jeremylong approved these changes Mar 16, 2025
View reviewed changes
Copy link
Collaborator

@jeremylong jeremylong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jeremylong jeremylong merged commit 91ffcf6 into main Mar 16, 2025
8 checks passed
@jeremylong jeremylong deleted the fix/issue-7528 branch March 16, 2025 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeremylong jeremylong jeremylong approved these changes

Assignees
No one assigned
Labels
ant changes to ant cli changes to the cli core changes to core maven changes to the maven plugin
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Build fails at CVSS 9.8 even when failOnCVSS is set to 10.0 for cve-2021-23369
2 participants
@aikebah @jeremylong